OpenPGP Card

This post is a work in progress

Like credit/debit cards that have "the chip"; the OpenPGP Card is a smartcard. This means that all cryptography is performed on-card so the encryption keys never leave the card. The OpenPGP Card is really cool because it allows you to store up to three 4096 but RSA PGP keys on it.

Hardware

Preparing Your System

Packages (Names from Arch):

  • gnupg
  • pcsclite (PC/SC smartcard daemon)
  • pcsc-tools (smartcard utilities)
  • libusb-compat (USB compatibility library)
  • ccid (USB smartcard protocol)

Then start pcscd.service

Let GnuPG know where things are:

#~/.gnupg/scdaemon.conf

pcsc-driver /usr/lib/libpcsclite.so
card-timeout 5

Create group "pcscd" and let members of that group control USB devices that seem to be card readers by adding the following udev rules:

# /etc/udev/rules.d/95-pcscd-rules-local.rules

#####################################################################
# Enable members of the pcscd group to access generic CCID devices.
######################################################################
ATTRS{bInterfaceClass}=="0b", RUN+="/bin/chgrp pcscd $root/$parent"

######################################################################
# Add specific CCID devices to the pcscd group.
######################################################################
# SCM Microsystems, Inc.
ATTR{idVendor}=="04e6", ATTR{idProduct}=="e003", MODE="0660", GROUP="pcscd"
ATTR{idVendor}=="04e6", ATTR{idProduct}=="5115", MODE="0660", GROUP="pcscd"
ATTR{idVendor}=="04e6", ATTR{idProduct}=="511f", MODE="0660", GROUP="pcscd"

Setting up the card

Using the card for SSH authentication

Tell gpg-agent to enable ssh-agent support:

# ~/.gnupg/gpg-agent.conf

enable-ssh-support

If you want to use ssh agent forwarding take a look at the "-c" flag for ssh-agent which prompts the user every time the agent receives a challenge.